Support » Plugin: Login LockDown » server cpu usage protection

  • My websites were blocked by my hosting provider because I was victim of brute force attack on wp-admin.
    In order to regain access to my site I had to filter the IP address on the htaccess file to only my ip address.
    But as it’s a buddypress installation this blocks my users from logging in.
    I then found your plugin. So my question is: when an ip is blocked, will it still be able to stress the server? Or does it prevent that?

Viewing 1 replies (of 1 total)
  • Plugin Author mvandemar


    @andricor I apologize for the delay in responding, I only just now got all of WordPress’s notifications from the past 2 months. Yes, it would still add a strain on the server. My suggestion to block bots from hammering the form is to set up an http auth layer on wp-conifg.php, where you can put both the username and password into the popup box, something like this:

    <Files wp-login.php>
    AuthType basic
    AuthName "WordPress login form protection, please enter 'human' as the username and 'password' as the password"
    AuthBasicProvider file
    AuthUserFile /home/username/.htpasswds/.htpasswd
    Require valid-user
    ErrorDocument 401 "WordPress login denied"

    You will need to create the .htpasswd file as well, which you can use this tool to do:

    Just make sure you match the path where you put the .htpasswd file. Then real users can read the title and reach the login form to log in to WordPress, whereas bots won’t. I have used this on multiple client sites and it is very effective. I would also recommend blocking all access to xmlrpc.php, aside from WordPress itself (Jetpack connects to the WordPress servers so they need to be able to get through):

    <Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
    ErrorDocument 403 "Denied"
    Allow from
    # should be allowed
    Allow from

    I hope this helps.


Viewing 1 replies (of 1 total)
  • The topic ‘server cpu usage protection’ is closed to new replies.